CVE-2019-25224
WP Database Backup < 5.2 - Unauthenticated OS Command Injection
Vexday Risk Score
68Prioridad alta
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 9.8EPSS 16.7%KEV nãoPoC públicaNuclei —Metasploit simPatch —
Ciclo de vida
24 abr 2019Exploit Metasploit disponible
25 jul 2025Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
databasebackup · WP Database Backup – Unlimited Database & Files Backup by Backup for WPPoCs públicas encontradas — 1
cve_referencepacketstormsecurity.com/files/153781/no verificado⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.htmlhttps://packetstormsecurity.com/files/153781/https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backuphttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rbhttps://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve